Amazon Linux 2023 Security Advisory: ALAS-2023-237
Advisory Release Date: 2023-07-05 20:13 Pacific
Advisory Updated Date: 2023-07-20 00:56 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. (CVE-2023-30581)
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario.
This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)
The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field.
This vulnerability impacts all Node.js active versions: v16, v18, and, v20. (CVE-2023-30589)
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.
However, the documentation says this API call: "Generates private and public Diffie-Hellman key values".
The documented behavior is different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security.
Please note that this is a documentation change an the vulnerability has been classified under CWE-1068 - Inconsistency Between Implementation and Documented Design. This change applies to all Node.js active versions: v16, v18, and, v20. (CVE-2023-30590)
Affected Packages:
nodejs
Issue Correction:
Run dnf update nodejs --releasever 2023.1.20230719 to update your system.
aarch64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.7.aarch64
nodejs-full-i18n-18.12.1-1.amzn2023.0.7.aarch64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.7.aarch64
nodejs-debuginfo-18.12.1-1.amzn2023.0.7.aarch64
nodejs-devel-18.12.1-1.amzn2023.0.7.aarch64
nodejs-18.12.1-1.amzn2023.0.7.aarch64
nodejs-libs-18.12.1-1.amzn2023.0.7.aarch64
npm-8.19.2-1.18.12.1.1.amzn2023.0.7.aarch64
nodejs-debugsource-18.12.1-1.amzn2023.0.7.aarch64
noarch:
nodejs-docs-18.12.1-1.amzn2023.0.7.noarch
src:
nodejs-18.12.1-1.amzn2023.0.7.src
x86_64:
nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.7.x86_64
nodejs-debuginfo-18.12.1-1.amzn2023.0.7.x86_64
nodejs-devel-18.12.1-1.amzn2023.0.7.x86_64
nodejs-full-i18n-18.12.1-1.amzn2023.0.7.x86_64
v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.7.x86_64
nodejs-18.12.1-1.amzn2023.0.7.x86_64
nodejs-libs-18.12.1-1.amzn2023.0.7.x86_64
npm-8.19.2-1.18.12.1.1.amzn2023.0.7.x86_64
nodejs-debugsource-18.12.1-1.amzn2023.0.7.x86_64